Fixes #19 custom Access-Control-Allow-Origin header

README.md

@@ -0,0 +1,71 @@
+# test-cors.org
+
+The code behind http://test-cors.org
+
+## Directory Structure
+
+The code is divided into two parts:
+
+1. The *client* code in `src/client` that makes the CORS request.
+2. The *server* code in `src/server` that receives the CORS request.
+
+The client and server code need to live on different origins (in order to be a
+true cross-origin request). The code here is deployed to Google's App Engine.
+
+
+## Development Workflow for contributing
+
+### Fork and Pull-Request
+
+- Fork this repository,
+- create a branch linking to the issue you want to fix,
+- commit tested changes
+- push to your fork
+- once everything is done and the issue is solved, create a Pull-Request
+
+### Local Server
+
+#### Changing the code
+
+The Server is written in Python.
+
+Check your syntax by compiling it:
+```
+python -m py_compile server/corsserver.py
+```
+
+#### Running a local Server
+
+https://cloud.google.com/appengine/docs/standard/python/tools/using-local-server
+Install Google Cloud App Engine
+
+Run the local server, for example like this:
+```
+sudo dev_appserver.py server/app.yaml --port=80
+```
+
+You can test the server with cURL.
+```
+curl -v http://localhost:80/server 
+```
+it should reply with an HTTP 200 Response.
+
+Then you can create your own requests, for example to try setting an allowed origin: *
+```
+curl 'http://localhost:80/server?id=3871331&enable=true&status=200&credentials=false&origin=*' -H 'origin: https://www.test-cors.org' -H 'accept: */*' -H 'referer: https://www.test-cors.org/' -v
+```
+It should reply HTTP 200, with response header `Access-Control-Allow-Origin: *`
+
+### Local Client
+
+Run the local client, for example like this:
+```
+sudo dev_appserver.py client/app.yaml --port=8080
+```
+
+Open `http://localhost:8080`, you will see the *test-cors.org* website.
+Select *Server*: Remote, and change the URL to `http://localhost`
+
+
+
+

client/static/corsclient.html

@@ -89,6 +89,13 @@ <h1>test-cors.org</h1>
 
       <div class="tab-pane" id="tablocal">
 
+        <div class="control-group" id="server_local_url_div" title="Help: Local URL" data-content="The URL to test for CORS support.">
+          <label class="control-label" for="server_local_url">Local URL</label>
+          <div class="controls">
+            <input type="text" id="server_local_url" class="span2" value="https://server.test-cors.org/server"/>
+          </div>
+        </div>
+
         <div class="control-group" id="server_enable_div" title="Help: Enable CORS" data-content="Whether or not the server should allow CORS requests.">
           <label class="control-label" for="server_enable">Enable CORS</label>
           <div class="controls">
@@ -103,6 +110,13 @@ <h1>test-cors.org</h1>
           </div>
         </div>
 
+        <div class="control-group" id="server_origin_div" title="Help: Allow Origin" data-content="Whether the server should mirror the origin (leave blank) or have a specific origin value, like '*'.">
+          <label class="control-label" for="server_origin">Allow Origin</label>
+          <div class="controls">
+            <input type="text" id="server_origin" class="span2" />
+          </div>
+        </div>
+
         <div class="control-group" id="server_credentials_div" title="Help: Allow Credentials" data-content="Whether the server should allow cookies on the request.">
           <label class="control-label" for="server_credentials">Allow Credentials</label>
           <div class="controls">

client/static/js/corsclient.js

@@ -4,7 +4,7 @@
  * The url to send the request to
  * (if using "local" mode).
  */
-var SERVER_URL = 'http://server.test-cors.org/server';
+var DEFAULT_SERVER_URL = 'http://server.test-cors.org/server';
 
 /**
  * The prefix to identify server fields.
@@ -454,6 +454,11 @@ var getServerUrl = function(controller) {
     // If running in "remote" mode, use the url supplied by the user.
     return controller.getValue('server_url');
   }
+  var serverUrl = DEFAULT_SERVER_URL;
+  if (controller.getValue('server_local_url')) {
+    // If 'Local' is selected... still allow the user to supply a non default url.
+    serverUrl = controller.getValue('server_local_url');
+  }
 
   var queryObj = {};
 
@@ -462,15 +467,15 @@ var getServerUrl = function(controller) {
   controller.each(function(index, value) {
     var id = value.getId();
     if (id.indexOf(SERVER_PREFIX_) === 0) {
-      if (id === 'server_tabs' || id === 'server_url') {
+      if (id === 'server_tabs' || id === 'server_url' || id === 'server_local_url') {
         // Skip any server fields that aren't used by the local server.
         return;
       }
       queryObj[value.getId().substring(SERVER_PREFIX_.length)] = value.get();
     }
   });
 
-  return SERVER_URL + '?' + Query.serialize(queryObj);
+  return serverUrl + '?' + Query.serialize(queryObj);
 };
 
 

server/corsserver.py

@@ -87,7 +87,11 @@ def __isCors(self):
     return 'origin' in self.request.headers
 
   def __addCorsHeaders(self, config):
-    self.response.headers['Access-Control-Allow-Origin'] = self.request.headers['origin']
+    if 'origin' in config:
+      origin = str(config['origin'])
+    else:
+      origin = self.request.headers['origin']
+    self.response.headers['Access-Control-Allow-Origin'] = origin
     self.response.headers['Set-Cookie'] = 'cookie-from-server=noop';
     if 'credentials' in config and config['credentials'] == True:
       self.response.headers['Access-Control-Allow-Credentials'] = 'true'
@@ -163,6 +167,8 @@ def __getConfig(self, httpMethod):
       config['credentials'] = True
     config['httpMethod'] = httpMethod
     config['methods'] = self.request.get('methods')
+    if self.request.get('origin'): # falsy if string is empty
+      config['origin'] = self.request.get('origin')
     config['headers'] = self.request.get('headers')
     config['exposeHeaders'] = self.request.get('expose_headers')
     config['id'] = self.request.get('id')